Deserialization from an untrusted source using the XMLDecoder library can lead to unexpected code execution. For example, it has led in the past to the following vulnerability:
XMLDecoder supports arbitrary method invocation. This capability is intended to call setter methods only but nothing prevents the execution of any other method.
This rule raises an issue when XMLDecoder is instantiated. The call to "readObject" is also highlighted to show where the malicious code can be executed.
(*) You are at risk if you answered yes to this question.
If you only need a simple deserialization, use instead one of the deserialization libraries recommended by OWASP.
If you really need to use XMLDecoder, make sure that the serialized data cannot be tampered with.
public void decode(InputStream in) { XMLDecoder d = new XMLDecoder(in); // Sensitive Object result = d.readObject(); [...] d.close(); }
This rule is deprecated, and will eventually be removed.